what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

razor.dvwssr.txt

razor.dvwssr.txt
Posted Apr 23, 2000
Authored by Simple Nomad | Site razor.bindview.com

BindView RAZOR Team Analysis of DVWSSR.DLL - The risks of having dvwssr.dll are not as severe as originally reported in media outlets Friday morning, but still severe enough that system administrators responsible for NT systems to investigate. The risks involve whether or not a certain DLL is loaded, how rights are set, and potentially how Front Page 98 is used.

tags | exploit
SHA-256 | 8ae1ac958cdd839a071092f69cb028444e52101f3979ebfa78fac418bae535d2

razor.dvwssr.txt

Change Mirror Download
BindView RAZOR Team Analysis of DVWSSR.DLL Risks

Risks Uncovered:
================

The risks of having dvwssr.dll are not as severe as originally reported in
media outlets Friday morning, but still severe enough that system
administrators responsible for NT systems to investigate. The risks
involve whether or not a certain DLL is loaded, how rights are set, and
potentially how Front Page 98 is used.

1. If you have Microsoft NT 4 with the Option Pack loaded and FrontPage
98, you have the vulnerable dvwssr.dll loaded.

2. To run the dll remotely you need to have read access to the dll. This
is not assigned by default. Typically on systems with multiple virtual
hosts the administrator could have stuck everyone with a virtual host on
the system into a group and given that group access to the dll. This would
imply that any virtual host maintainer could look at other hosts' files.
Obviously a misconfigured host might allow anonymous access, but this
would require purposeful actions by the administrator for this to exist.

3. The files in question are asp files. This dll gives you the ability to
read asp source, so it is possible that hardcoded user names and passwords
to backend systems may be viewed. This is essentially the risk that Rain
Forest Puppy found.

4. There exists a buffer overflow in the dvwssr.dll. At offset 0x581811C9
in the DLL is an unchecked lstrcpy. By sending a large string of
characters, the dvwssr.dll can be overflowed. By carefully constructing
these characters, it is possible to remotely execute commands as "system"
which can be used for elevating priviledges. The buffer overflow was
uncovered by CoreSDI.

5. In theory if you can get the hash of a user with the access, you can
exploit the buffer overflow. This is called "passing the hash", and
essentially means that you use the hash without cracking the password to
authenticate to the target server. See
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0
for details from RAZOR's Paul Ashton on the basis for this technique. This
technique is currently one of the stars of Foundstone's "Hacking Exposed:
Live" presentations being put on by George Kurtz and Eric Schultze at
security shows around the globe. Certainly in theory this could be adapted
to this exploit.

6. Sniffing the NT LanMan password hash being sent by a legitimate FP98
user using L0phtcrack, and subsequently cracking the password would
certainly give you the proper access to run the dll, and therefore elevate
priviledges. This would of course mean that the sniffer would have to be
located between the legit user and the target server, but is not beyond
the realm of possibility.

Detection of the DLL:
=====================

Detection is quite simple. The following examples use NetCat:

Example 1:
$ nc -v -w2 target.system 80
GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

HTTP/1.0 500 Server Error (The system could not find the environment
option that was entered. )

The 500 error means dvwssr.dll is not present.

Example 2:
$ nc -v -w2 target.system 80
GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

HTTP/1.0 401 Access Denied

The 401 error means dvwssr.dll is present but you do not have the rights to it.

Example 3:
$ nc -v -w2 target.system 80
GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

Connection closed by foreign host.

The connection closed means that you had the rights to run the DLL, but
since no parameters were passed the connection was completed.

Users of BindView's HackerShield can use the Rapid Fire Update released on
the evening of April 14 to detect the presense of the DLL on their systems
they manage.

Elimination of Vulnerability:
=============================

Microsoft's original recommendation of removal of the DLL still stands as
this eliminates the vulnerability completely. See
http://www.microsoft.com/technet/security/bulletin/ms00-025.asp for
details.

Credits
=======

The technical details in this analysis were provided by Todd Sabin and
Paul Ashton of BindView's RAZOR team (in addition to information made
public by Rain Forest Puppy and CoreSDI).

- Simple Nomad - No rest for the Wicca'd -
- thegnome@nmrc.org - www.nmrc.org -
- thegnome@razor.bindview.com - razor.bindview.com -
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close